How to control and secure blazor spa pwa app?

Question

I have pwa blazor .NET 5 app hosted on github. People use this app at work, installed through chrome or firefox or safari on devices. It works offline and updates cache if I change service worker.js and publish it. And all is fine. But how can I manage access for it, since it has to work offline, when some employee resign from work, how can I delete remotely this app on only his devices?

Answer 1

If you're stuck with the pwa offline approach (which, let's be honest, isn't great for security) then the best you can do is encrypt your local storage with a token that's masked only with blazor's built-in obfuscation.

Ideally, you would be able to at least require an externally-hosted identity login when using the app, but if you are truly offline, then obfuscation of an encryption token is the best you can do (if you are stuck with the pwa template).

If you know your users are using windows, you could augment the Pwa with a windows service that provides rotating encryption tokens via encrypted assembles, but that would assume you would be willing/able to do installs of windows services on each user machine, and it wouldn't keep the user out of the app.

Hopefully, you didn't locally store any health/financial info or social security numbers, and you encrypted the local store with an obfuscated token.

Another thing you could do is require logins with an idp server at regular intervals. This would at least keep the window of exposure smaller. You would still be able to work offline most of the time.